Windows Update E-mail Scam

[snopes]

Windows Update E-mail Scam

Today's topic is something that has been around for the last couple of years
but within the last few weeks, it seems to have crept back up again.
Therefore, I felt it was my duty to warn you all about it once more. Now, I
know a lot of you have probably already heard of this and you may have dealt
with it yourselves before too, but either way, this is a security issue and
you all need to be aware of it. All right, let's get right to it!

To begin, this e-mail scam has to do with the Windows Updates that come out
every second Tuesday of each month. The hackers involved with this scam are
pretending to be Microsoft and they're sending out fake e-mails, telling
users they need to install a critical update right away. They give you a
link to follow, which takes you to a false version of the Windows Update Web
site. You are then presented with a series of links you can use to download
the update, but in all actuality, you're downloading a Trojan virus and
other malicious patches. If your computer becomes infected with the virus,
the hackers can then obtain complete control of your PC.

Now, there are a couple things you should look out for when it comes to this
particular scam. First, the hackers usually try to send this e-mail out
right around the time when a monthly update is scheduled to arrive. And in
case you haven't noticed, we are now in a new month and the new updates will
be coming out next week sometime (right around October 9, 2007). So, keep
your eyes out for any unusual e-mails within the next week or so, because if
it's going to happen, it will be soon. Also, keep in mind that Microsoft
will never send you an e-mail about their updates. The updates will always
show up in your taskbar and nowhere else. Don't be fooled by a look alike
Microsoft image. Like we always say, just use some common sense when you're
going through your e-mails. If something looks suspicious, delete it and
forget about it. If you do that, you'll be just fine!

[llewtrah]

I got the email yesterday. I run old versions of Windows so I automatically ignore those emails (they seem to be aimed at more recent Windows versions users).

[BluesScale]

The warning talks a lot of sense and generally is perfectly true - there are a couple of additional points to make though.

There are two types of security updates released by Microsoft. In-band updates (there is apparently a legal issue with MS calling them patches) come out on the second Tuesday of each month. Out-of-band updates can be released at any point and these are generally for critical issues - but these will always be available from Windows Update and will always be detailed on http://www.microsoft.com/technet/security/current.aspx - there is also a webcast describing them on the Technet Site

As for how notification are given, most home users just find out from the Windows Update service popping up a notification in the task bar. However, notifications ARE available via email, RSS and instant messages - but these ALWAYS, ALWAYS, ALWAYS link back to a trusted site and executables are never sent by MS via instant message or email. Updates are not legally hosted on non-MS sites and any file which claiims to be a security update and which is not located on a Windows Update site should be treated with deep suspcicion - except on a corporate network where the administrator is likely to roll out updates using SMS (System Management Server, not Short Messaging Service).

For those with an obsessive insterest, the MSRC blog may be of interest

Hope that this helps keep folk safe

Blues

I think the safest advice is simply to never use a link that appears in an email.